<div dir="ltr">On Fri, Dec 28, 2012 at 2:54 PM, Scott Plante <span dir="ltr"><<a href="mailto:splante@insightsys.com" target="_blank">splante@insightsys.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-size:12pt;font-family:arial,helvetica,sans-serif">Actually, as I ponder a bit more, I have to agree with you David. My other points not withstanding, an SSH key is about "having" something, and a password is about "knowing" something. So ssh key+password is having+knowing. I'm still interested in the security token thing for some applications, but it's also about "having" something, so ssh key+token is really just having+having. They're potentially different things that you have and that might offer some advantages, but having+knowing is better.<div>
<br></div><div>Scott</div><div><br></div></div></div></blockquote><div style><br></div><div style>Thinking some more, it occurs to me that PW+otp is probably slightly more secure than PW+key, but at the expense of always needing your OTP generator (so, phone with dead battery could be a problem). It's theoretically possible to capture the unencrypted SSH key out of memory (or get it from disk for someone who doesn't use a passphrase -- and if you have that access, keylog the password). With OTP, while you can keylog one entry of the OTP, that will only be valid for ~1 minute.</div>
<div style><br></div><div style>Hrrm, SSH key + otp + password? Overkill? Probably...</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div style="font-size:12pt;font-family:arial,helvetica,sans-serif"><div><hr><div style="font-size:12pt;font-style:normal;font-family:Helvetica,Arial,sans-serif;text-decoration:none;font-weight:normal"><b>From: </b>"Scott Plante" <<a href="mailto:splante@insightsys.com" target="_blank">splante@insightsys.com</a>><div class="im">
<br><b>To: </b>"Atlanta Linux Enthusiasts" <<a href="mailto:ale@ale.org" target="_blank">ale@ale.org</a>><br></div><b>Sent: </b>Friday, December 28, 2012 3:10:16 PM<div><div class="h5"><br><b>Subject: </b>Re: [ale] OpenSSH RequiredAuthentications2 publickey,password<br>
<br><div style="font-size:12pt;font-family:arial,helvetica,sans-serif">True, kinda. I do maintain a lock code on my phone so you'd still have to get past that, and while I might leave my laptop or tablet in my room, it's extremely rare for me to leave my phone. <div>
<br></div><div>Also, I get that in certain ways the phone token is less secure than the password. Certainly I don't want to look up a phone token every time I do an SSH connection. In my case, I'm worried about me and a couple of other people using ssh, so I can enforce the use of a passphrase with SSH. I realize that an admin with lots of ssh users can't really enforce that. Of course, in other ways, the phone token can be more secure than the password, because you do actually have to get possession of my phone or list of single use codes. It eliminates a number of different password attacks.</div>
<div><br></div><div>Thanks for the link and info. I kinda knew it was possible, but I've been trying to find the time to search for some kind of how-to for setting all that up. Also, my firewall is pfSense so I need BSD support on that side. Just one of many projects on the list.</div>
<div><br></div><div>Scott<br><br><hr><div style="font-size:12pt;font-style:normal;font-family:Helvetica,Arial,sans-serif;text-decoration:none;font-weight:normal"><b>From: </b>"David Tomaschik" <<a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>><br>
<b>To: </b>"Atlanta Linux Enthusiasts" <<a href="mailto:ale@ale.org" target="_blank">ale@ale.org</a>><br><b>Sent: </b>Friday, December 28, 2012 2:20:12 PM<br><b>Subject: </b>Re: [ale] OpenSSH RequiredAuthentications2 publickey,password<br>
<br><div dir="ltr"><div>Key + Phone Token doesn't add as much as Key + Password. With Key + Phone token, if I break into your hotel room and you've left your phone and laptop, you're done.<br><br></div><div>
That being said, the Google Authenticator app is just an implementation of RFC 6238 TOTP -- and there's a PAM module available: <a href="https://code.google.com/p/google-authenticator/" target="_blank">https://code.google.com/p/google-authenticator/</a></div>
<div><br></div><div>So, with current OpenSSH, you can do password + otp via PAM.</div><div><br></div><div>(Since we're discussing a Google product, the ysual disclaimer about this being my opinion only, not speaking on behalf of my employer, etc. applies.)</div>
<div><br></div><div>David</div><div><br></div><div><br></div>On Fri, Dec 28, 2012 at 11:06 AM, Scott Plante <span dir="ltr"><<a href="mailto:splante@insightsys.com" target="_blank">splante@insightsys.com</a>></span> wrote:<br>
<div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div style="font-size:12pt;font-family:arial,helvetica,sans-serif">
Rather than a password, I'd like to see something like what Google does. They have an app on your phone that generates a temporary code that you have to enter. Or they can text you the code, if you don't have a phone that'll run the app. The code is only good for a very short period, like 20-30 seconds. In Google's case, it's in addition to a password. You don't have to enter the code every time on a given device, but you do every so often (maybe once a month). You always have to enter it the first time on a new device. When you set this up for your Google account, they also give you a list of long, one-time-use passwords to print and keep in your (physical) wallet or some secure location. You can use them in case the 2-factor system is down or you don't have your phone. This is similar to the key-fob Security Tokens that have been out for more than a decade, except you don't have to buy/carry a separate device, and you don't have to replace it when your encryption gets hacked, like RSA's SecurID was. Just send out an app update.<div>
<br></div><div>I'd like to be able to set up different rules for different systems, like require code every time on the external interface to the firewall. Or always require it if you're logging in from a new IP address for a given user.<br>
<br>Scott<br><hr><div style="font-size:12pt;font-style:normal;font-family:Helvetica,Arial,sans-serif;text-decoration:initial;font-weight:normal"><b>From: </b>"David Tomaschik" <<a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>><br>
<b>To: </b>"Mike Harrison" <<a href="mailto:cluon@geeklabs.com" target="_blank">cluon@geeklabs.com</a>><br><b>Cc: </b>"Atlanta Linux Enthusiasts" <<a href="mailto:ale@ale.org" target="_blank">ale@ale.org</a>><br>
<b>Sent: </b>Friday, December 28, 2012 1:17:04 PM<br><b>Subject: </b>Re: [ale] OpenSSH RequiredAuthentications2 publickey,password<div><div><br><br><div dir="ltr">Some googling around the option name (RequiredAuthentications2) suggests that it is only in RH's patched version of OpenSSH, however a patch based on that should be included in OpenSSH 6.2. I look forward to that -- SSH keys are NOT 2-factor, despite what many people may say. There's no way to force someone to have an encrypted key, so the passphrase is not a 2nd factor. I'd like to see SSH key + pw become the standard.</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Dec 27, 2012 at 4:39 PM, Mike Harrison <span dir="ltr"><<a href="mailto:cluon@geeklabs.com" target="_blank">cluon@geeklabs.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">David:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
I'm not aware of any way to configure OpenSSH to ask for multiple authentication factors. You can fudge it with PAM (password + otp, for example) but not with anything involving public<br>
keys. (Unless something has changed since I looked ~1 year ago at my last job.)<br>
</blockquote>
<br>
Good disclaimer, :) Best example I found is listed below,<br>
and while it's new to OpenSSH, it's been around in other versions (<a href="http://ssh.com" target="_blank">ssh.com</a>) Look like two factor auth has been added to OpenSSH in certain versions. It does not work on my Bodhi Linux system. (OpenSSH_5.9p1 Debian-5ubuntu1)<br>
<br>
It also does not show up in the official docs:<br>
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5" target="_blank">http://www.openbsd.org/cgi-<u></u>bin/man.cgi?query=sshd_config&<u></u>sektion=5</a><br>
<br>
I've got a Redhat system I can test in the office... and will do when I can....<br>
<br>
<br>
------------------------------<u></u>-------------------------<br>
<br>
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=657378" target="_blank">https://bugzilla.redhat.com/<u></u>show_bug.cgi?id=657378</a><br>
<br>
Fixed In Version: openssh-5.3p1-80.el6<br>
Doc Type: Enhancement<br>
Doc Text:<br>
Multiple required methods of authentications for sshd SSH can now be set up to require multiple ways of authentication (whereas previously SSH allowed multiple ways of authentication of which only one was required for a successful login); for example, logging in to an SSH-enabled machine requires both a passphrase and a public key to be entered. The RequiredAuthentications1 and RequiredAuthentications2 options can be configured in the /etc/ssh/sshd_config file to specify authentications that are required for a successful log in. For example: ~]# echo "RequiredAuthentications2 publickey,password" >> /etc/ssh/sshd_config For more information on the aforementioned /etc/ssh/sshd_config options, refer to the sshd_config man page.<br>
<br>
<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br><a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div>
<br></div></div>_______________________________________________<br>Ale mailing list<br><a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br><a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br><a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br></div><br></div></div></div><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br><a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div></div>
<br>_______________________________________________<br>Ale mailing list<br><a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br><a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br><a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br></div><br></div></div><br>_______________________________________________<br>
Ale mailing list<br><a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br><a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br></div></div></div><br></div></div></div><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br><a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div></div>